Oracle to better explain future patches

With Oracle set to release the year's final vulnerability fix on Tuesday, the database vendor now is making it easier for security professionals to understand the extent of the flaws being corrected.

At the urging of Oracle customers, the quarterly critical patch updates (CPUs) now will include documentation that more clearly explains the issues at hand, Eric Maurice, security manager in Oracle's Global Technology Business Unit, said in a Wednesday blog post.

Specifically, the updates will use the Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable and include a "high-level" overview of each defect and fix - similar to Microsoft's monthly security bulletins.

"One of the key challenges security professionals face when they receive a vendor-issued security patch is to assess the criticality of the underlying vulnerability," Maurice said. "This assessment is critical when deciding the priority and timing of the patch in light of the risk created by the vulnerability and the organization's business requirements."

With each CPU, Oracle will include an executive summary that "will provide a plain English explanation of the vulnerabilities" that can be used "to brief executive management and other non-IT groups on the nature of the defects being patched."

Ron Ben-Natan, CTO of database security firm Guardium, said the new features reflect Oracle's growing committment to security.

"Oracle has always had a legacy of security," he told SCMagazine.com today. "They've always put stress on security, but they've also had some issues in the last couple of years. I think this is a very natural thing to do. It will make things more usable for their customers. I think it's important for Oracle to be doing this."

He said the Redwood Shores, Calif.-based Oracle, among other vendors, are beginning to value security investment and learning that it serves as a competitive advantage.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.